Bugtraq mailing list archives

Re: Analysis of trin00

From: stefan () AESCHBACHER COM (Stefan Aeschbacher)
Date: Thu, 9 Dec 1999 00:21:51 -0800


Hi
here are some snort rules which could show the presence of a trin00
network
in the observed IP-range. This rules work only as long as the
ports/passwords/protocol aren't changed.
The rules are not tested, they rely on the paper of Dave Dittrich posted
in Bugtraq (for more information
see this great paper). If you have programs using high numbered UDP
ports some of the rules will give false alarm.
Another way to identify trin00 would be the search for the packets that
contain one of the daemon or master
commands. Unfortunately most of them are strings which are common on a
network (e.g. quit, help) but some of
them could be used to detect trin00. If you see several of this alerts,
there's probably an attack running, that's
more or less the only time this rules can detect trin00.

# Trin00 commands are sent
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master";)
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master (default startup pass detected!)"; content:"betaalmostdone";))
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master (default r.i. pass detected!)"; content:"gOrave";))
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master (default mdie pass detected!)"; content:"killme";))
alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to
Daemon";)
alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to Daemon
(default pass detected!)"; content:"l44adsl";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to
Master";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master
(*HELLO* detected)"; content:"*HELLO*";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master
(PONG detected)"; content:"PONG";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master
(message detected)"; content:"l44";)

Stefan Aeschbacher

--
   Stefan Aeschbacher
   Federal Institute of Technology     Where do you want to go today?
   Lausanne Switzerland
   http://www.aeschbacher.ch/stefan       - NOT in your direction! -

Current thread:

new IE5 remote exploit Jeremy Kothe (Dec 05)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
  - Re: new IE5 remote exploit krisp (Dec 06)
  - Analysis of trin00 Dave Dittrich (Dec 07)
    - Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
    - Re: Analysis of trin00 Jacob Langseth (Dec 09)
    - ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop Aleph One (Dec 09)
    - Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
    - xsw 1.24 remote buffer overflow Aleph One (Dec 09)
  - Analysis of Tribe Flood Network Dave Dittrich (Dec 07)
    - Re: Analysis of Tribe Flood Network Mixter (Dec 08)
    - Re: Analysis of Tribe Flood Network Stefan Laudat (Dec 10)
    - Error in System Policies Adam Simms (Dec 10)
    - Re: Analysis of Tribe Flood Network Mixter (Dec 11)
    - Big problem on linux 2.0 visi0n (Dec 11)

(Thread continues...)